How ISPs can sell your Web history—and how to stop them

How the Senate's vote to kill privacy rules affects you.

The US Senate yesterday voted to eliminate privacy rules that would have forced ISPs to get your consent before selling Web browsing history and app usage history to advertisers. Within a week, the House of Representatives could follow suit, and the rules approved by the Federal Communications Commission last year would be eliminated by Congress.

So what has changed for Internet users? In one sense, nothing changed this week, because the requirement to obtain customer consent before sharing or selling data is not scheduled to take effect until at least December 4, 2017. ISPs didn’t have to follow the rules yesterday or the day before, and they won’t ever have to follow them if the rules are eliminated.

Further Reading

But the Senate vote is nonetheless one big step toward a major victory for ISPs, one that would give them legal certainty if they continue to make aggressive moves into the advertising market. The Senate vote invoked the Congressional Review Act, which lets Congress eliminate regulations it doesn't like and prevent the agency from issuing similar regulations in the future. For ISPs, this is better than the FCC undoing its own rules, because it means a future FCC won't be able to reinstate them.

Unless the House or President Donald Trump oppose the Senate's action, ISPs will not have to worry about any strong privacy rules getting in the way of using your browsing history for profit. There won’t be any specific rules requiring them to get opt-in consent before sharing browsing history, even if that data is related to just one customer instead of being aggregated with other customers’ data in order to anonymize it.

Senate Democrats warned before yesterday’s vote that ISPs will be able to “draw a map” of where families shop and go to school, detect health information by seeing which illnesses they use the Internet to gather information on, and build profiles of customers' listening and viewing history.

The Senate vote was 50-48, with every Republican senator voting to kill privacy rules and every Democratic senator voting to preserve them.

ISPs can’t see encrypted traffic, so if you visit an HTTPS site, ISPs will see only the domain (like https://arstechnica.com) rather than each page you visit. But that’s still plenty, said Dallas Harris, an attorney who specializes in broadband privacy and is a policy fellow at consumer advocacy group Public Knowledge.

ISPs might be able to figure out where you bank, your political views, and your sexual orientation based on what sites you visit, Harris told Ars.

“You don’t need to see the contents of every communication” to develop efficient ad tracking mechanisms, she said. "The fact that you’re looking at a website can reveal when you’re home, when you’re not home.”

An ISP might notice that a particular tablet often visits children’s websites. From that, “they can infer that this tablet then belongs to a child” and deliver advertising targeted to kids. “The level of information that they can figure out is beyond what even most customers expect,” Harris said.

How the rules have changed

The legal changes all stem from the FCC's decision in February 2015 to reclassify home and mobile ISPs as common carriers. The reclassification had numerous effects: it allowed the FCC to impose net neutrality rules, but it also stripped the Federal Trade Commission of its authority over ISPs because the FTC's charter from Congress prohibits the agency from regulating common carriers.

Before the February 2015 reclassification, ISPs could have been punished by the FTC for violating customers' privacy. But following the FTC rules wasn't too onerous—the FTC recommends opt-in consent before selling or sharing the most sensitive information, such as Social Security numbers, the content of communications, financial and health information, information about children, and precise geo-location data. But ISPs could use an opt-out system for everything else, including Web browsing and app usage history.

ISPs “want to be the advertising powerhouse.”

The FCC's reclassification of ISPs removed FTC authority but imposed privacy requirements from Title II, Section 222 of the Communications Act. The problem is that Section 222 was written in 1996 for telephone service, so the FCC said it would write new broadband-specific rules explaining exactly how Section 222 would be enforced on ISPs. Those rules, including the opt-in requirements, were finalized in October 2016.

Theoretically, Congress and the FCC could return jurisdiction to the FTC by eliminating the privacy rules and eliminating the ISPs' common carrier classification. But even that might not work, because a federal appeals court ruling in August 2016 said that any company with a common carrier business cannot be regulated by the FTC at all, even when they're offering non-common carrier services. The common carrier designation is also used for landline phone and mobile voice service; that means ISPs like AT&T, Verizon, T-Mobile, and Sprint could be entirely exempt from FTC oversight. Comcast and other cable companies are only common carriers for Internet service because their VoIP phones are regulated differently, so they could more easily go back under FTC oversight.

Further Reading

But even if the FTC regains jurisdiction, its guidelines are weaker than the FCC's privacy rules. Thus, yesterday's Senate vote could leave us with no rules preventing ISPs from selling your Web browsing histories to advertisers and data brokers without obtaining opt-in consent.

When AT&T charged extra for privacy

The most prominent example of an ISP monetizing customers' browsing history comes from AT&T. Starting in 2013, AT&T charged fiber Internet customers at least $29 extra each month unless they opted in to a system that scanned customers' Internet traffic in order to deliver personalized ads.

AT&T killed this "Internet Preferences" program shortly before the FCC finalized its privacy rules. But that doesn't mean ISPs are giving up on advertising.

ISPs “want to be the advertising powerhouse, which is why they fought so hard against these rules,” Harris said. “They want to compete with Google and Facebook and other edge providers in the advertising space. This is going to be their new frontier, a new way for them to increase their profits.”

ISP lobby groups have argued that privacy rules would prevent them from showing Internet users more relevant advertising via “data-driven services” and would prevent ISPs from competing in the online advertising market. They’ve argued that Web browsing and app usage history should not be classified as “sensitive” information.

Advertising lobby groups, knowing that they could end up working more closely with ISPs, recently thanked Republican lawmakers for taking steps to kill the privacy rules.

AT&T sells advertising via its AdWorks division, which boasts of “more targeted” ads to “more screens,” via TV set-top boxes and online video. Comcast sells online advertising that can appear on xfinity.com and NBC sites. Verizon boosted its online advertising technology when it purchased AOL and is trying to finalize a purchase of Yahoo.

Because these ISPs operate their own advertising networks, they don't need to share individuals' browsing history with third parties in order to serve targeted ads. But they can use customers' browsing history to sell targeted ads. Businesses would pay the ISPs to have their advertising reach people who are more likely to buy their products, but only the ISPs would know exactly who those customers are.

“They’ve already begun marketing [to advertisers], explaining how they have the ability to track you on four devices,” Harris said. “Because they’re also your cable [TV] providers, they can combine what you’re watching on TV with what you’re doing on the Internet and looking at on your phones and your tablets. They’re heavily invested in this idea that they have a lot of data that can be valuable to advertisers and want to build up that part of their business.”

For ISPs that don't operate their own ad networks, getting into the targeted advertising business could involve sharing customers' browsing with third parties. The FCC privacy rules would have prevented both the internal use and sharing of such information without opt-in consent.

Well, if this all goes through then it looks like VPNs will boom. I have been looking at a few to gauge level of privacy and securty. And sadly, I would trust a VPN over my ISP offering a "privacy fee"

An ISP might notice that a particular tablet often visits children’s websites. From that, “they can infer that this tablet then belongs to a child,” and deliver advertising targeted to kids.

I would imagine that they would still need to comply with COPPA, in which case tracking/targeting children under 13 is all kinds of illegal. Although I dont doubt that they are lobbying hard to get that axed too.

> For example, the ISP knows when you visit https://arstechnica.com, but it doesn't see which articles you're reading.

When using HTTPS, the ISP will see only the IP address visited; the domain name will be encrypted inside the HTTP headers. For sites with static IP addresses, this would lead to a one-to-one mapping. For sites hosted through CDNs and proxies such as CloudFlare and for sites on shared hosting, it would be harder to tell.

When using HTTPS, at best, the ISP can use correlation with your DNS lookups to determine a probability that you've visited a certain site. I wonder if this is an opportunity for another misdirection type of tool, perhaps akin to TrackMeNot? (Whether this would be effective is up for debate.)

I think there could now be a good market for routers that are sold paired with VPN service. The fact is the vast majority of users will never enable VPN on their router, if their router even supports it. This needs to change and hardware that includes service could be a way.

I think it should be mentioned that Tor has a couple of other downsides:

1) It can be really, really, painfully slow. VPN's, if you're with a good provider, will likely be a lot faster, but with a bit lower level of privacy, *and* you typically pay for a VPN, while Tor is free.

2) It can be good that your connection can appear to come from anywhere in the world with Tor, but you also have little control over where your connections appear to come from. This means that you might be expecting, say, the US version of a site and are suddenly presented with the German or Russian version. VPN's, on the other hand, sometimes give you an option of what country your endpoint is in (which can be useful if, say, you are trying to access regionally-restricted content, or just to improve latency and bandwidth).

I would like to know this as well. Mr. Brodkin can you look into this? I'm not finding any explanation (it might not be viable to filibuster since its just the use of that GOP get of jail free card legislation they passed previously....but I would like some confirmation of that. What's up here?

Sneaky they snuck it through the Senate 1st (where it'd be easier to quash it with public opinion) amongst the Health Care and Supreme Court drama.

There is no point in calling any Republican representative - unless you are planning on telling them you are going to make sure they don't get another term by voting for anyone else and donating to anyone but them.

The Senate vote invoked the Congressional Review Act, which lets Congress eliminate regulations it doesn't like and prevent the agency from issuing similar regulations in the future. For ISPs, this is better than the FCC undoing its own rules, because it means a future FCC won't be able to reinstate them.

Ok, let's stop pointing fingers at who did what, this will do us no good. We know it's going to get passed, and we know the consequences. So, how about a list of how to fight back? We geek are a disorganized bunch, but perhaps with the guidance of Ars, we could form some kind of group that could fight back (yeah, I know about donating to the EFF) or encourage all Ars users to get a VPN, or something.

Hell, ARS is always pushing "DealMaster" deals for cheapo laptops, perhaps it's time to push for something better, a lifetime subscription to ArsVPN or something.

Start putting up *step* *by* *step* instructions on how to set up a Streisand or run our own Tor nodes, anything to sow civil disobedience.

Talk about ironic, in order to register and be able to post on this site I actually had to turn off my VPN.-Fuck that! And that was going to be the thrust of my post, I can't use VPN on Amazon prime video or on Netflix. I have to keep turning it off and on again which is a total pain. And if I have it on when shopping on Amazon they still know who I am and I still get advertising from them. So what is a poor boy to do?

It would be nice if the VPN list was updated to weed out the VPNs (every one on that old list) that reduces your speed to dial up speeds.

We really need a list that doesn't do that ...

First possibility: Run you own! Servers are cheap and setting up a VPN is easy. My server has 500Gb of traffic/mo and works great. (Especially since you can't use Netflix with it, Price is about $20/year) Maybe Ars could make a guide for doing something like that?

Second possibility: Don't go for the cheapest carrier! I never had that problem unless I tried free services. I still have a VPN subscription with a Swedish carrier (that doesn't log) and it works great. There are some "slow downs" in the evenings but you can get 1MB/s any time.

A big reminder, if you go the VPN/Tor route, remember that most of your video content will not work. Netflix is a high profile example that even blocks VPS, but you can be certain that most networks/Hulu etc will block all VPNs.

There is another way to protect our personal data. Do not use social media sites, or the related, to log into other sites. Sites that want you to log in with facebook or with google or whatever, they are linking your accounts to your activity. I've seen a rise in that method where they entice consumers with popularity (among their own social clique) for the exchange of your data. Be mindful.

And that's only on the advertising side of things. I'm sure your insurance company will be interested in your browsing history as it correlates to safe/dangerous conduct. Employers may be interested in your history as a way of doing an extended background check. Credit monitoring companies might be interested in expanding their profiles.

ISPs are not like Google, Facebook, and Apple in regards to access to personal information. I have no choice of any other broadband provider. ISPs can view ALL the traffic from my household, including that of my children. There is no reasonable method to protect my family. I am also paying my ISP outrageous sums of money for service and receive poor customer service and poor quality of service. My family and I should not be exploited by them further.

Protect the constituents in your district from further abuse by the monopoly ISPs you have allowed to operate.

Does WOW! sell information to the presented advertisers?No. Your personal information is completely safe and at no time does an advertiser even know which customers receive their ads online. Our location-based advertising program is based on a double-blind system which means that neither the advertiser nor the ad network which sells the ads ever has access to your personal information.

Also

Quote:

How is this different from behavioral online advertising?

Unlike behavioral advertising, location-based ads have nothing to do with your Web surfing history. If you see a location-based ad, it’s only because that advertiser has selected your zip code as an area they want to target.

Looks like I don't have to opt-out, even. I'm just fine with local mom-and-pop businesses being able to tell an ad network to only serve ads to people in my zip code (another Q/A on WOW's website).

EDIT: Not to say I won't be calling my representatives telling them as their constituent I do not approve of them voting in favor on the bill.